topic Re: Ldap authentication via ssh in Network Access Control

Ldap authentication via ssh

lafourchette — Mon, 11 Mar 2019 01:14:41 GMT

Hello,

We just bought a cisco 1921 and i'm trying to identify my users against an LDAP server. I have two problems:

-When I use the test command to test the authentication (test aaa group ...), it only works when the password is in cleartext in the LDAP server.

-When I try to login via ssh to the router, I got this error in my syslog:

Jul 22 13:18:24 10.20.42.3 1465: *Jul 22 11:18:49.255: AAA/BIND(0000002D): Bind i/f

Jul 22 13:18:24 10.20.42.3 1466: *Jul 22 11:18:49.255: AAA/AUTHEN/LOGIN (0000002D): Pick method list 'LDAP_login'

Jul 22 13:18:24 10.20.42.3 1467: *Jul 22 11:18:49.255: LDAP: LDAP: Queuing AAA request 45 for processing

Jul 22 13:18:24 10.20.42.3 1468: *Jul 22 11:18:49.255: LDAP: Received queue event, new AAA request

Jul 22 13:18:24 10.20.42.3 1469: *Jul 22 11:18:49.255: LDAP: LDAP authentication request

Jul 22 13:18:24 10.20.42.3 1470: *Jul 22 11:18:49.255: LDAP: Username/Password sanity check failed!!

Jul 22 13:18:24 10.20.42.3 1471: *Jul 22 11:18:49.255: LDAP: LDAP doesn't suport interactive login

Is there any solution? Or is it just for VPN login?

Ldap authentication via ssh

lafourchette — Wed, 27 Jul 2011 08:30:19 GMT

Anyone?

Ldap authentication via ssh

lafourchette — Mon, 22 Aug 2011 09:38:46 GMT

Really? Nobody ever tried to authenticate via LDAP?

Ldap authentication via ssh

Andrew Norman — Thu, 27 Oct 2011 11:27:01 GMT

I have agonised over this my self.

It seems ldap can only authenticate using PAP

Set your client to PAP only and it works

Check this, using chap:

*Oct 27 11:33:27.875: LDAP: LDAP authentication request

*Oct 27 11:33:27.875: LDAP: Username/Password sanity check failed!!

*Oct 27 11:33:27.875: LDAP: Notifying AAA: REQUEST FAILED

And then using PAP:

*Oct 27 11:35:06.987: LDAP: LDAP Messages to be processed: 1
*Oct 27 11:35:06.987: LDAP: LDAP Message type: 97
*Oct 27 11:35:06.987: LDAP: Got ldap transaction context from reqid 47ldap_parse_result
*Oct 27 11:35:06.987: LDAP: resultCode: 0 (Success)
*Oct 27 11:35:06.987: LDAP: Received Bind Responseldap_parse_result
*Oct 27 11:35:06.987: LDAP: Ldap Result Msg: SUCCESS, Result code =0
*Oct 27 11:35:06.987: LDAP: LDAP Bind successful for DN:CN=***********,CN=******,DC=****,DC=com
*Oct 27 11:35:06.987: LDAP: * LDAP PASSWORD VERIFY DONE *
*Oct 27 11:35:06.987: LDAP: Next Task: All authentication task completed
*Oct 27 11:35:06.987: LDAP: Transaction context removed from list [ldap reqid=47]
*Oct 27 11:35:06.987: LDAP: * * AUTHENTICATION COMPLETED SUCCESSFULLY * *
*Oct 27 11:35:06.987: LDAP: Notifying AAA: REQUEST SUCCESSldap_msgfree
ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_err2string

*Oct 27 11:35:06.987: LDAP: Finished processing ldap msg, Result:Success
*Oct 27 11:35:06.995: %IP_VFR-7-FEATURE_DISABLE_IN: VFR(in) is manually disabled through CLI; VFR support for features that have internally enabled, will be made available only when VFR is enabled manually on interface Virtual-Access3
*Oct 27 11:35:06.999: LDAP: Received socket event
*Oct 27 11:35:07.007: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Oct 27 11:35:07.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up

Re: Ldap authentication via ssh

autoko1@3 — Thu, 29 Mar 2018 03:07:00 GMT

How do you set it to PAP only?